Creating Tenants for Exchange 2010 SP2 Multi Tenant

Submitted by jdixon on Tue, 01/03/2012 - 8:04pm

Exchange 2010 SP2 has been released! Sucks for some of us using /hosting since there isn’t really a good migration path other than doing a forest migration. Anyways, SP2 has been released and we get the EMC back, and also some more roles such as the unified messaging role!

Most automation software [as of 1/2/2012] do not support SP2 yet. Some that currently do are ExtendASP, and I believe Machsol will in a couple of weeks. Personally I have not used either.

Anyways you can still separate your tenants manually without using a automation software but it is more complex and requires more steps than Exchange /hosting did. You will have to create multiple address lists and also use custom attributes. You can read the documentation at Download: Exchange 2010 SP2 Multi-Tenant Scale Guidance …

Note: Lync is supposed to be coming out with a hosting pack and requires a specific active directory organizational unit structure to work. I do not have this information so you may want to wait if you plan on deploying Lync Hoster pack with Exchange 2010 SP2.

I am currently working on a powershell script to automate this process and will post it once I finish. Below are the commands to create what you need. Just replace some of the things such as the name of the tenant I used along with the domain names. Also I used CustomAttribute1 but you can of course use any of the custom attributes [1-15].

Create an OU for the tenant. I placed mine under a OU called 'Tenants’

Notes:

I used the parent OU as 'Tenants'. Lync has certain requirements for the hoster pack that I haven't read yet.

Be sure to change the domain to your local domain name

Each user must have the address book policy assigned to the user for that specific Tenant

Be sure to run Update-OfflineAddressBook after creating everything. Also when creating mailbox users you must put the tenant’s name in the mailbox CustomAttribute1.

Keep in mind there can be other settings that need to be set to make sure your users do not have access to other tenants. This is where the automation software comes in with creating group policies that make sure some users (like RDP users) cannot access or see the other tenants, not to mention the fact that it would just make your life easier.

***********************************************************

*UPDATED* 3/17/2012

Below are the changes:

Fixed error that was caused by entering the display name as 'Lastname, First'. It will now set the Name to 'Firstname Lastname' and set the DisplayName to what you specify, even if it is with a comma.

*UPDATED* 3/16/2012

Below are the changes:

New powershell script to secure the root OAB container (Secure-DefaultOAB)

Modified New-Tenant script to put 'Username_Domain.ext' for the samAccountName. So if I created a domain called itswapshop.com and a user called Jacob Dixon then it will set the samAccountName to: jdixon_itswapshopcom (20 characters max... if over then it will trim it automatically)

Modified New-Tenant script to no longer include an email address policy. Instead when creating a tenant the administraotr mailbox primary smtp address is set to administrator@domain.com.

Modified New-User script with the same samAccountName changes as well not using an email address policy. Instead it will put the primary smtp address to <first initial><last name>@<domain>.<ext>. Example: jdixon@itswapshop.com

Modified New-Tenant to grant the ALL USERS group for that tenant to be able to download the OAB for that specific tenant.

Modified New-Tenant to specify the OAB when creating the user

Modified New-User to specify the OAB when creating the user

Notes:

IF you used the previous script then it did not secure the OAB. You must do this manually. Remove the 'MS-EXCH-DOWNLOAD-OAB' extended right from the Authenticated Users group on the root container and all OABs. Then you must grant the specific All Users group for that tenant the extended right 'MS-EXCH-DOWNLOAD-OAB' for that tenants OAB.

The newest ZIP file is at the bottom of this article. It is labeled with todays date (3/16/2012). If you have any problems feel free to email me @ jacobdixon@live.com or post a comment here. Thanks!

*UPDATED* 3/3/2012

I have replaced the orginial New-Tenant powershell script and added one for removing tenants and adding new users.

Some of the changes I have done is changed the OU in the script to "Hosting" for the parent OU. In each script I wrote examples of how to use it. Also it now creates two security groups. One is "Organization Management" and the other is "All Users" under each tenant. When you use the script to create a new user it automatically adds it to the All Users group and grants ORganization Management security group full access to that user. From there you can write your own web interface so the Administrator user can make changes to people in the "All Users" group. You WILL NOT be able to use OWA/ECP online to make these changes. Exchange 2010 SP2 is not setup this way and is why you need a control panel.

If you have any problems please let us know! You will find the new scripts in a ZIP file at the bottom of the article

*UPDATED* 2/29/2012

I left out some important steps when I posted this article. I have updated the article and it now does not show the other address lists to the other users in Outlook.

I have also uploaded a powershell script I created. Keep in mind it doesn't do any error checking. It will create all the address lists, GAL, address book policies, and the administrator mailbox for you.

Be sure to run it rom the Exchange Shell and enter the commands before you run it:Import-Module ActiveDirectorySet-ExecutionPolicy RemoteSigned

Yes, release of Exchange 2010 SP2 closed the chapter of /hosting mode and all those providers using /hosting mode must have to migrate to on-premise mode if they want to stay in to competition. Also, it is the best time to upgrade to Exchange 2010 SP2 because it comes up with new and enhanced feature set. However, for smooth migration path one should consult with ISV's like MachSol which comes up with ready to go migration toolkit and provides comprehensive support. Furthermore, with respect to Exchange 2010 SP2 I would like to mention:

1. I did not find any information regarding ExtendASP support for Exchange 2010 SP2 including their official website.2. MachSol announced MachPanel's support for Exchange 2010 SP2 last year in December and here you can read more about it at http://goo.gl/iV6Jt and http://goo.gl/I1s4Q

I'm still trying to figure out how to:
- Grant access to ECP to some users.. Figure out which features don't work, disable those, or fix them, or whatnot.
- Remove or disable the emailaddresspolicy that is attaching the install/base organization email address from the default emailaddresspolicy. I've added creating email address policies to my tenant provisioning code so that they all get whatever domains attached that they need to their mailbox.
- Figure out how this should all mesh properly with the Lync hoster pack.. @_@

I have updated the commands since I left out the recipient container. Doing this will hide the other address lists from other users. I also put in commands for the email address policy and creating a mailbox user.

Attached is a powershell script to automate a lot of this for you. See the top of the article for instructions. If you have any trouble let me know and I will try to be more prompt than I have been!

Thanks for the reply, at the moment I have not created any additional users for the test tenant/s. Just using the Administrator account which is created using your script, which as you would know does have the customattribute1 set and the policy applied. OWA works a treat as this user cannot see any of the other 40+ users/groups. However in Outlook the user sees everything.

Yes, that is correct. I have read the scale guidance from MS. Is Security Groups / Universal Groups still needed? Earlier we had a Exchange 2010 SP1 multi tenant setup, where Address List Segregation were used based on groups.

Yes you are supposed to have security groups but from what I gathered from the document is they are to be used for external applications and such for that specific tenant. SP2 uses address book policies to seperate the tenants

You can login to the ECP with the newly created administrator account to manage that tenant's email address's. If you are still lost, you might check out some books on exchange 2010. Here is a good free ebook I found that might help you out:

@ingram Sorry this is actually incorrect. With SP2 you can only manage a mailbox if you are part of the organization management security group. The problem is that gives you access to manage everyone.

This is a good reason why you need your own web interface to manage specific tenants. With my new script it creates a security group for each tenant called "Organization Management". Also when you use the script to create a new user it adds the user to All Users and grants Organization Management full access.

This is where you would right a program or web application that people would login to. So you would right something that basically says if the logged on user is in the Organization Management security group of that Tenant then allow the user to modify options of the other users.

With your new script it creates a security group for each tenant called "Organization Management" and administrator.but using this administrator not able to create or delete usermail box from the ECP.Eventhough i have Organization Management(not bulit in one.

I was able to log in to the ECP with the new admin account which has a Windows 2000 login name of administrator2. but if I try to login with the new tenant domain domain\administrator with password doesn't yield any results. When I log into the ECP, i can only manage the admin's mailbox.

I haven't even checked into that. Really in this situation you want to design your own ECP and disable the built in one. Also you will want the users to login using the UPN instead of domain\username.

My script simply just creates a user named Administrator for that domain. It doesn't assign any permissions that allows it to manage that tenant.

Thanks for pointing this out and I will try to modify it.

In the meantime did you get the script to work and the GAL to seperate in Outlook? I have tested this again in my environment and I cannot see any other address list of any other Tenant in Outlook or OWA. As long as you have the receipient containers set on the address lists, the CustomAttribute1 on the users, the address book policy set, and the UPN set right for the Tenant you should not see anything but other users in the same Tenant

I would also like to point out that you shouldn't really do this article in a production environment. You need something more proven and solid like Citrix CloudPortal, ExtendASP, Parallels, etc. I know they cost but they provide all the capabilities you will need to resell these services and manage these services (plus more).

This article was simply to attempt to seperate it according to the document released by Microsoft (and to play around lol ). Since Microsoft doesn't give very detailed information this is basically my attempt to mimic the seperation of Tenants with Address Book Policies.

One more thing. My problem is that all the other address lists, is shown in the 'All Address List' container in Outlook. The address list container for all is also only this: "/" and nothing more. What to do?

Thanks for the answer. That answered the problem I was having with Outlook. The problem I have now is removing GC from my DC that Exchange is installed on, completey breaks outlook anywhere since to my knowledge, Exchange will only communicate with the DC it's installed on and it will not authenticate outlook anywhere clients. So what do you think is the best way around this issue?

Sorry in the delay in getting back, I have been busy. As a test I have installed exchange on a hyper-v VM and retested. As per the above post it is working. In Outlook I do not see the other users same with OWA. Exchange cannot be on a GC. Thanks for the script it is really useful and will save alot of time with entering commands.

The only thing I would like to see is a modified script for adding individual users without it creating OU, address lists etc. Just specify a username and password etc and it will autofil the rest.

last year I did setup an exchange 2010 that is behind an TMG sp2 for use in an multi tenency enviorment, and I have to sya that is working as it should.our customers access their mails with OWA, or POP or IMAP.
now we have a new customer that want to use outlook any where, and my question is,
can we do this? I mean becuse there is not an globle address list and each customer has his own GA and OAB, how can we configure the exchange and TMG for autlook anywhere access?
Thanks

Can someone give me a guidance on how to remove GC role from Exchange server.
I have one server with DC/GC/Exchange2010 all roles installed on it and now is having the same ABP not working in Outlook issue.

I hope all is going good. I was curious if you had a chance to look at the additional scripts you mentioned? It would be a life saver, well time saver. More then happy to pay or donate as it is such a great script you have already provided!

Update on scripts, I've spoke with jdixon, and he is currently working on enhancing the current script, as well as creating a couple of new scripts, including one to create users. They will be posted when completed

I have supplied with updated scripts for creating the tenants, adding new users, and removing tenants. We do this for free but who doesn't love donations lol :-)

Anyways let me know how the new scripts work for you.

Please keep in mind you won't be able to manage tenants using OWA. Exchange wasn't really built that way for this. This is where a automation control panel or you creating your own website for managing Tenants.

In the scripts I did create two universal security groups and auto add the users to a "All Users" group and auto add the administrator to the "Organization Management" group. When creating new users it will also grant "Organiation Management" group for that tenant Full Access to the user mailbox. From there is where you can write something using those security groups for letting the administrator tenant user manage it

Very useful information. Can anyone advise though on what needs to be done (if anything extra) to ensure Outlook clients in cached mode download the correct Offline address book. What do I set the default OAB to be on a mailstore basis (and will this have any effect)?

These scripts will create the address lists, gal, OAB, and address book policies along with the organization units in AD.

There is not a "correct" script to do this that Microsoft provides. Everyone may do it a little different but follows the guidelines that Microsoft provided.

This script will successfully create the OU's, and all the exchange objects you will need to get started with your mult-tenant setup. After running these scripts you can setup Outlook or OWA (as long as not installed on a GC) and you will notice you cannot see the other users or their distribution groups or other address lists

Here are some other things you may want to do:

Modify OU security

Setup web application so users can modify their settings such as passwords and any other AD settings (Manager, Office, Address, etc).

Found one little bug: New-User.ps1 uses $DisplayName for both Display Name & Full Name attributes. If you want your Display Names in Lastname, Firstname format, this causes 2 problems:

1. The Full Name is also in Lastname, Firstname format.

2. AD escapes the "," to become "\," in the DN. The script doesn't escape the comma, and fails when it tries to query AD for the account just created.

I'm modifying it to concatenate Firstname & Lastname to avoid both problems. Don't know if there are other characters that have to be escaped in DNs, however. (And I'm enough of a PS noob that I'm not sure I could handle that yet anyway!)

Funny thing... I'm a PS noob too! hahaha. I have plenty of experience with C# so I guess that kinda helps me a little. A more advanced PS scripter could of wrote this much better than myself :-)

Anyways I will probably look into that tomorrow or Sunday to get that fixed for you. In the meantime I posted some updated scripts that drops the use of a EAP and sets the primarysmtpaddress when creating the user. The reason I did this is because using a EAP will put the local accepted domain in the list of email addresses.

Also I updated it to secure the OAB so other tenants cannot see. Of course you must first follow the instructions I posted in the update.

Thanks again fro pointing out the bug. I updated the script and you can now enter the display name with a comma or without. So it will always set the name to "Firstname Lastname" but allow you to set the Display Name however you like.

Yeap, the OU exists. What's interesting is if I run the script again, without running Remove-Tenant then it works successfully. I am going to put some pauses into the script and see if it's a timing issue or related to AD replication.

Use the non-Exchange "Company" field for the tenant name instead of Custom Attribute 1, and modify the EAP (as used in the 3 Mar 2012 version of the script) to make the Company field the Condition that's checked by the EAP. Then call Enable-Mailbox against the user object (instead of New-Mailbox), to mail-enable the user.

In this way, you don't get the default alias@internal.local e-mail address, because the Default EAP will never be applied to the mailbox. This allows use of EAPs in compliance with MS's multi-tenant guidance, while eliminating the default address for which you removed EAPs in the 16 Mar 2012 version of the script.

Another advantage: If you host more than just Exchange, some users might be mail-enabled, while others might not. For non-mail-enabled users, you just programmatically skip the Enable-Mailbox part, or make it a separate script. If the Company field is already filled during initial provisioning, and the customer decides to opt for e-mail, the account is Exchange-ready after you run New-Tenant.ps1.

Public folder segmentation works normally with the Public folder Management console, you can create subfolder and give permissions as you normaly do.

Also for resource mailbox or room mailbox, you can create them manually in the EMC and and the Custom Attibute and it is working fine. I didn't had the time to create a new scripts base on the new-user scripts for resource mailbox. But once the tenant is created you can use the EMC to finish your things.

thanks for the quick reply. I'm able to send/receive emails from both tenants. But they are still being sent internally. I actually view the message details and see where it gets point and how it is sent. Is there a way to forward the email out to the internet and then redirect back in? , so it looks like an external email from the internet rather than an internal email.

Are you currently using a send-connector to send email, or are you using DNS? As far as I'm aware, using a send-connector will solve the issue you are having. The email you send from one tenant should go out the send-connector to your smart host on the internet, and then it will look up the mx records for the other tenant you are sending to, and send the email directly back to your server.

Are you currently using a send-connector to send email, or are you using DNS? As far as I'm aware, using a send-connector will solve the issue you are having. The email you send from one tenant should go out the send-connector to your smart host on the internet, and then it will look up the mx records for the other tenant you are sending to, and send the email directly back to your server.

Hey, I tried what you said. By setting up a smart host to send to a smart host on the internet. But then thing is it's not leaving the exchange. The email is just sending it directly through to the other tenant without going out at all. ideas?

This is from the Microsoft Multi-Tenancy and Hosting Guidance for Exchange 2010 SP2:

Problem or Issue Description: Preventing name resolution of recipients and matching to directory entries from taking place when emails are sent between tenants.

Recommended Approach: It is recommended that you build and implement a custom transport agent on all Hub Transport servers in your organization that is able to determine that an e-mail is being sent between tenants on the same system, and re-routes the mail to deliver to a smart host elsewhere in the network, for subsequent routing back to Exchange.

This approach makes the message appear as having been received from the Internet, which prevents it being resolved to an internal recipient, though message header information may reveal some data, unless that is also re-written.

Because e-mail is delivered to the Internet through a Hub Transport server and then back through a Hub Transport server, there is the possibility that the e-mail could be delivered back to the same Hub Transport server that it was sent from. If this happens, then you get a message looping issue and the mail delivery will fail. In order to prevent this from occurring, we recommend that you create dedicated send connector and receive connector Hub Transport Servers.Unsupported Solutions Any transport agent based solution that does not follow the guidelines provided at http://msdn.microsoft.com/en-us/library/dd877026(v=EXCHG.140).aspx

Additional Comments: If you chose not to write the transport agent, ABPs will prevent the exposure of directory data in this scenario, preventing most data from being seen, but ABPs do not solve the issue of making the mail appear as though as it came from an external recipient (the display name will shows the resolved display name from the directory) nor do ABPs solve the issue of be able to reply to mails when the original senders mailbox is off-boarded (discussed elsewhere in this document).

I have also tried the Smarthost to a barracuda and since the tenant's domain is considered like localhost for the exchange server it does send it internally. That is causing an issue with Out of office messages because it does responds with the internal notice instead of the external notice .. Still looking into it ..

I haven't looked into the Transport SDK much but from what I have seen is it doesn't look that difficult. I'll try to write a transport agent for this problem and post it when I get finished. Give me a few days and we will see! Thanks!

You've not described your exact requirements. But if they're cozy enough to be willing to split an SBS, they each know that the other exists. So the illusion that each company owns the system, which we need to maintain in true multi-tenancy scenarios, likely doesn't apply here. My guess is that, as far as Exchange is concerned, the most important thing you need is the ability to send and receive for 2 external domains. That's easy. But, ideally, you should also be able to create 2 GALs, and have 2 e-mail address policies. While the techniques have changed, that, too, has been do-able since Exchange 4.0...I've done it with EX 4.0, 5.5 and 2003. (Still working on it with EX2010SP2!)

That said, my SBS multi-tenant experience is limited to supporting 2 external domains, and no other separation, on SBS 2008 R2. But I can't fathom why 2 ABPs and EAPs would be a problem on SBS 2011. The only multi-tenancy feature that's new in EX2010SP2 is multiple ABPs, anyway. So if that didn't work, as long as your clients don't care if they see each others' names on the GAL, it's a problem you don't have to solve. Actually, my 2 clients *liked* having everyone's name in the 2 companies handy because one was a vendor to the other.

As for whether it's supported, well hard to say. My guess is that MS would work with you. But anyone who's ever had a microbusiness client knows that support boundaries have to be viewed as elastic!

Multi-tenancy, in general, is a fuzzy support boundary across all of Microsoft, because every one of their (and others') current products was designed with single-tenancy in mind. Yet MS can't afford to turn its back on multi-tenancy and the cloud.

AD, Exchange, SharePoint, SQL, et al, support very well-defined user and computer objects. But Tenant objects are, today, make-believe. They are syntheses of repurposed, customized, single-tenant objects that we're largely on our own to figure out how to configure and support.

The MS EX2010SP2 multi-tenancy white paper linked to at the top of this page certainly reinforces that view! For that matter, so does the flip-flop on EX2010 /HOSTED vs EX2010SP2. They don't know what they're doing yet, either!

Today, multi-tenancy is an elaborate hack.

I don't think that will change in Microsoft [ProductNameHere] v.Next, but if Microsoft is as serious about the cloud as they say they are, then hopefully, by v.NextAfterThat we'll see baked in multi-tenancy.

In my opinion, then, and only then, can MS afford to tighten support multi-tenancy boundaries. And then, only for v.NextAfterThat.

OK, I've re-read the bit about the GC & ABP's. So you won't be able to use this to separate the GALs on SBS, and MS no longer supports hacking ACLs to do this. So that's something you won't be able to do. If that's a dealbreaker, they'll each need their own system, or else one, or the other, or both, need to use an Exchange cloud provider in lieu of on-premises.

Anyway of working around the Global Catalog issue. I have a single server setup. Everything works great in OWA but with outlook the gal shows everyone. Also the OAB can't be downloaded. Any suggestions. Thank in advance.

I resetup from scratch new dc as global catalog and exchange as member server. All seems to work accept for downloading offline address book files in outlook when you hit send/recieve. Any luck on solving this issue? Thanks

To correct this the there wasn't an address book associated with the database.
In your Mailbox Databases you need to associate an offline address book.
You achieve this from the properties of your mailbox databases inside organization management -> Mailbox -> Database Management -> Right Click Properties -> Client settings

Once adding the default offline address book. I ran the update address book and then restarted the exchange file distribution service. I few minutes later outlook via rpc over http successfully downloaded the address book.

Hopefully helps someone beat my head against the wall for a couple days.

In my environment the client don't download the OAB. I have a dedicate Mailbox DB for each tenant. The client returns "An object cannot be found". I have tried to add the Default Offline Address book to the DB but this not help me.
Thank ou in advance.
Simone

First of all I would like to thank you for this article. Really, really, great stuff.

Second, if I don't use mailbox db per tenant what would be the best solution to limit total storage space for a tenant's mailboxes. Ok, one solution is to simply track this info externally but is there any way to do this through Exchange?

Just wanted to say we grabbed the scripts today (5/9/12) and they all worked perfectly. After futzing with this for a couple of hours trying to do it by hand, I appreciate the time you put in to build these ... Maybe MS should send you some royalties :)

Let me start by saying THANK YOU! This script is awesome. I am posting this just in case anyone else needs the described functionality.

The script is built for an automatic default of if the user's name is John Doe the e-mail address is set to jdoe@domain.com. In my hosting environment it is important for me to be able to set the alias to JohnD@domain.com or even John.Doe@domain.com if necessary.
So what I did to fix this, is edit the new-user.ps1 file to the following.
--------------------------------------------------------------------------
--------------------------------------------------------------------------

I don't know why that is working for you but you need the custom attribute usage. This is how you properly segregate your customers. If you notice in the address lists they are searching based on that custom attribute.

Hello again, and thank you for your scripts. I have a problem regarding the Public Folder and the GAL. I have successfully segmented the public folders by CustomAttribute1, but i don't see the folders in the GAL. Have tried the following cmdlet:

Thank you so much for your posting. Would you be willing to contact me directly about helping us implement a multi-tenant environment from scratch? Reading through the entire posting convinced me that doing without expertise in house may be over our heads.

Thank you so much for your posting. Would you be willing to contact me directly about helping us implement a multi-tenant environment from scratch? Reading through the entire posting convinced me that doing without expertise in house may be over our heads.

I experienced the issue where Address Book Policies worked fine through OWA but would show all address books and all users when using Outlook 2010. My environment consists of 8 servers: 2 DC, 2 CAS, 2 HT, and 2 MB servers. I am not running my CAS servers on a DC/GC but yet I still experienced this problem. I beat my head into the wall for a few hours until I ran across someone saying "Any Client Device or Client Software access Active Directory directly for Directory Access then ABP won’t work." My folly was that I was running Outlook 2010 on one of the DC servers initially and then later installed Outlook on one of the HT servers to test that it wasn't the DC that causing the issue. Once I installed Outlook 2010 on a client workstation, Address Book Policies worked fine. I am therefore assuming that Outlook on a DC uses a GC directly when it is sitting on one, and an HT also uses a GC directly as evidenced under Properties/System Settings of the HT. I spent several hours chasing a problem that wasn't really a problem except for where I was running Outlook. Hope this helps some people as I see a lot of people out there experiencing this issue and everyone blames the "CAS on DC" problem but that is obviously not the only scenario that causes this issue.

hi,
i have just 1 question, White Paper: Configuring Virtual Organizations and Address List Segregation in Exchange 2007 pubished some years ago this guide still valid?,
in Exchange 2010 SP2 can we follow this document for Active Directory Paritoning?

The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.

any body help me on the following resolution,
i am creating user with this scripts, user created successfully with following order
First Name: mekail Last Name: Khan email created mkhan@mycloud.com i want to change email account with following order
First Name: Mekail Last Name: Khan mekail.khan@mycloud.com
any body provide me solution?

Security Warning
Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your
computer. Do you want to run C:\Files\TenantScripts\New-Tenant.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): r
Created new organizational unit. [OU=Hosting]
Created new organizational unit. [OU=GannonsLAWLLP,OU=Hosting]
Added gannons.co.uk to the forest upn suffixes
Created the Accepted Domain
Created the Global Address List
Created the All Rooms address list
Created the All Users address list
Created the All Contacts address list
Created the All Groups address list
A value can't be provided automatically for the "Server" mandatory parameter. Specify an explicit value for the paramet
er and try again, or add the Verbose parameter to obtain more information about the failure.
At C:\Users\Administrator.SMARTITDECISION\AppData\Roaming\Microsoft\Exchange\RemotePowerShell\server10.smartitdecisions
.com\server10.smartitdecisions.com.psm1:29658 char:31
+ $steppablePipeline.End <<<< ()
+ CategoryInfo : InvalidData: (:) [New-OfflineAddressBook], InvalidOperationException
+ FullyQualifiedErrorId : 6F83D20B,Microsoft.Exchange.Management.SystemConfigurationTasks.NewOfflineAddressBook

Yes you should be using the UPNSuffixes attribute on the OU. It really would be better practice. I've been in the middle of a datacenter migration (on going) and haven't had time to update these scripts nor update the transport agent that I was working on.

I plan on making a windows application to do all this for you instead of running scripts.

If you do write a GUI for this, I'm sure it will be appreciated. But please keep the scripts available, too, as your project evolves, because they're a good tool for understanding what needs to be done, and for copying snippets of known-working code.

Great guide, but I have run into situation that the "New-AddressBookPolicy" cmdlet and GUI tab is missing. Followed the steps by the number, even reinstalled Exchange several times. No joy...still when using the cmdlet, get error indicating an invalid command. Ideas anyone?

Hi,thanks for the script! it helps a lot !!I have just a problem. After creating the Tenants, the accounts, everything works well in OWA, but in outlook i Still see everyone (all the accounts of all the tenants).I don't know I if missed something...I'm using your last scripts.I have also launch your Secure-DefaultOAB.

Hi,thanks for the script! it helps a lot !!I have just a problem. After creating the Tenants, the accounts, everything works well in OWA, but in outlook i Still see everyone (all the accounts of all the tenants).I don't know I if missed something...I'm using your last scripts.I have also launch your Secure-DefaultOAB.

Hi,thanks for the script! it helps a lot !!I have just a problem. After creating the Tenants, the accounts, everything works well in OWA, but in outlook i Still see everyone (all the accounts of all the tenants).I don't know I if missed something...I'm using your last scripts.I have also launch your Secure-DefaultOAB.

So, first, you have to uncheck Global Catalog in the AD Sites and services, on the Exchange Server, in the NTDS Settings Properties. (there are some coments here about that).

I reboot.

After that I had a main problem... the Microsft Exchange Address Book was unable to start. With this error :

Unable to register the MSExchangeAB RPC interface. Failed with the error code The endpoint is a duplicate (1740)

I have that to resolve this issue :

To fix this locate this Registery:

"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters\NSPI interface protocol sequences] and search for a port bind eg. 6004. DO NOT toutch this if the server is global catalog, if it have been global catalog in the past, you can delete the key and restart the server."

I reboot, and the service could start again (but the key I deleted is still here...). Don't really know what happened...

I have also find this article : http://social.technet.microsoft.com/wiki/contents/articles/864.configure-static-rpc-ports-on-an-exchange-2010-client-access-server.aspx

But I didn't test it.

Now the isolation works fine both in OWA, and outlook.

My conf : 2 servers. 1 AD with DC and GC, and an other one with Exchange 2011 on the same AD, but without GC (mandatory if we want to have the isolation on outlook).

Thanks again for the scripts. It's not easy to find informations about the way to do it...

i am running 5 Tenant Org. & i have created my environment with Sir Jacob provided scripts all tenant working fine, OWA /Outlook both are working good
you just remove root domain all address books i think your outlook related issue will resolve

TIP: MS multi-tenant guidance says to disable scheduled OAB generation, but neither the document nor TechNet tells you how to do so with PowerShell. To disable scheduled OAB generation with PowerShell, append

Thanks for all the wonderful script. I have a case with a tenant with multiple internet domain name, within the teanant, some users using @domainA.com and some using @domainB.com, and some with @domainA.com as primary SMTP and @domainB.com as the additional email address. Does the script would cater for this situation and how would be accomplish. Million thanks

These scripts were created to give you an idea on how to structure Exchange using Address Book Policies. Since there were so many responses I decided to create a custom control panel for myself and any others that may need one.

Currently the only free ones I could find was WebsitePanel. This has many features but did seem a little complicated to setup.

Hi and thanks. I have setup the tenants manually just as you described in the first part of your tutorial. I have two separate domains and they seem to be independant from one another in owa and outlook. I have a question about your scripts. Can i run them now in my existing setup.
Would i run : ./new-tenant newdomain.com and so forth. Sorry if i misunderstood something. Thanks

The scripts were meant to show you the back end of how address book policies work. Since we got some many comments on this article I created a web portal to manage exchange free of charge. It does more than just exchange as well.

The scripts were meant to show you the back end of how address book policies work. Since we got some many comments on this article I created a web portal to manage exchange free of charge. It does more than just exchange as well.

I absolutely love your script. It was exactly what i needed for a customer who was looking to extend their existing Exchange 2010 environment, to be able to host it to smaller devisions with their own domain. They were not to be allowed to see anything of the productions environment and vice versa, It works great! Thanx a bunch for all your hard work!!!